security: redact all IPs, ports, and passwords from docs

Replace all production IPs (public, LAN, Tailscale), host port bindings, and hardcoded passwords/secrets across RUNBOOK.md, docs/, and projects/ with descriptive placeholders (<KSCLOUD1_PUBLIC_IP>, <port>, <KSCLOUD1_SUDO_PASSWORD>, etc.) so no sensitive infrastructure details are committed to the repository. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-11 16:01:03 -05:00 · 2026-06-11 16:01:03 -05:00 · e409b461d8
commit e409b461d8
parent c231bcce70
5 changed files with 134 additions and 134 deletions
--- a/docs/authentik-sso-setup.md
+++ b/docs/authentik-sso-setup.md
@ -31,19 +31,19 @@ Internet → Cloudflare → cloudflared → [service container]

 | Service | Subdomain | Port | Method | Status |
 |---------|-----------|------|--------|--------|
-| Authentik | auth.kitestacks.com | 9000 | (is the IdP) | ✅ Running |
-| Grafana | grafana.kitestacks.com | 3000 | OAuth2 | ✅ Configured |
-| Kite AI (OpenWebUI) | ai.kitestacks.com | 8080 | OIDC | ✅ Configured |
-| Forgejo | gitforge.kitestacks.com | 3000 | OAuth2 | ✅ Configured |
+| Authentik | auth.kitestacks.com | <port> | (is the IdP) | ✅ Running |
+| Grafana | grafana.kitestacks.com | <port> | OAuth2 | ✅ Configured |
+| Kite AI (OpenWebUI) | ai.kitestacks.com | <port> | OIDC | ✅ Configured |
+| Forgejo | gitforge.kitestacks.com | <port> | OAuth2 | ✅ Configured |
 | BookStack | — | — | — | 🚫 Retired — books hosted on Kavita |
-| OpenProject | tasks.kitestacks.com | 80 | OIDC | ✅ Configured, upgraded v13→v15 |
-| Kavita | kavita.kitestacks.com | 5000 | OIDC | ✅ Configured, secret filled |
-| Shaarli | links.kitestacks.com | 80 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
-| Uptime Kuma | status.kitestacks.com | 3001 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
-| LiteLLM | llm.kitestacks.com | 4000 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
-| Portainer | portainer.kitestacks.com | 9000 | — | 🚫 SSO excluded |
-| Prometheus | prometheus.kitestacks.com | 9090 | — | 🚫 SSO excluded |
-| Node Exporter | node-exporter.kitestacks.com | 9100 | — | 🚫 SSO excluded |
+| OpenProject | tasks.kitestacks.com | <port> | OIDC | ✅ Configured, upgraded v13→v15 |
+| Kavita | kavita.kitestacks.com | <port> | OIDC | ✅ Configured, secret filled |
+| Shaarli | links.kitestacks.com | <port> | Proxy | ⚠️ Provider configured, CF tunnel update pending |
+| Uptime Kuma | status.kitestacks.com | <port> | Proxy | ⚠️ Provider configured, CF tunnel update pending |
+| LiteLLM | llm.kitestacks.com | <port> | Proxy | ⚠️ Provider configured, CF tunnel update pending |
+| Portainer | portainer.kitestacks.com | <port> | — | 🚫 SSO excluded |
+| Prometheus | prometheus.kitestacks.com | <port> | — | 🚫 SSO excluded |
+| Node Exporter | node-exporter.kitestacks.com | <port> | — | 🚫 SSO excluded |
 | OpenRouter | openrouter.ai | — | — | 🚫 external, excluded |

 *BookStack has been retired. All books are hosted on Kavita (`kavita.kitestacks.com`).
@ -148,10 +148,10 @@ Outposts → `authentik Embedded Outpost` → Edit → move all three proxy appl
  - Name: `Shaarli`
  - Mode: `Reverse Proxy`
  - External host: `https://links.kitestacks.com`
-  - Internal host: `http://shaarli:80`
+  - Internal host: `http://shaarli:<port>`
  - Internal host SSL validation: off
 - **Applications → Create**: Name: `Shaarli`, Slug: `shaarli`
- **Cloudflare Tunnel**: Change `links.kitestacks.com` route from `http://shaarli:80` → `http://authentik:9000`
+- **Cloudflare Tunnel**: Change `links.kitestacks.com` route from `http://shaarli:<port>` → `http://authentik:<port>`

 #### 7. Uptime Kuma

@ -159,9 +159,9 @@ Outposts → `authentik Embedded Outpost` → Edit → move all three proxy appl
  - Name: `Uptime Kuma`
  - Mode: `Reverse Proxy`
  - External host: `https://status.kitestacks.com`
-  - Internal host: `http://uptime-kuma:3001`
+  - Internal host: `http://uptime-kuma:<port>`
 - **Applications → Create**: Name: `Uptime Kuma`, Slug: `uptime-kuma`
- **Cloudflare Tunnel**: Change `status.kitestacks.com` route from `http://uptime-kuma:3001` → `http://authentik:9000`
+- **Cloudflare Tunnel**: Change `status.kitestacks.com` route from `http://uptime-kuma:<port>` → `http://authentik:<port>`

 #### 8. LiteLLM *(when ready to expose publicly)*

@ -169,9 +169,9 @@ Outposts → `authentik Embedded Outpost` → Edit → move all three proxy appl
  - Name: `LiteLLM`
  - Mode: `Reverse Proxy`
  - External host: `https://llm.kitestacks.com`
-  - Internal host: `http://kite-litellm:4000`
+  - Internal host: `http://kite-litellm:<port>`
 - **Applications → Create**: Name: `LiteLLM`, Slug: `litellm`
- **Cloudflare Tunnel**: Add route `llm.kitestacks.com` → `http://authentik:9000`
+- **Cloudflare Tunnel**: Add route `llm.kitestacks.com` → `http://authentik:<port>`

 ---

@ -205,10 +205,10 @@ In the Cloudflare Zero Trust Dashboard → Networks → Tunnels → your tunnel

 | Hostname | Change From | Change To |
 |----------|------------|-----------|
-| `links.kitestacks.com` | `http://shaarli:80` | `http://authentik:9000` |
-| `status.kitestacks.com` | `http://uptime-kuma:3001` | `http://authentik:9000` |
-| `llm.kitestacks.com` | (new) | `http://authentik:9000` |
-| `tasks.kitestacks.com` | `http://openproject:8080` | `http://openproject:80` *(after OpenProject upgrade)* |
+| `links.kitestacks.com` | `http://shaarli:<port>` | `http://authentik:<port>` |
+| `status.kitestacks.com` | `http://uptime-kuma:<port>` | `http://authentik:<port>` |
+| `llm.kitestacks.com` | (new) | `http://authentik:<port>` |
+| `tasks.kitestacks.com` | `http://openproject:<port>` | `http://openproject:<port>` *(after OpenProject upgrade)* |

 ---

@ -237,7 +237,7 @@ docker restart kavita
 - The `appsettings.json` change requires a container restart: `docker restart kavita`
 - Verify `Enabled: true` and `Secret` is not empty.

-**BookStack redirects to `http://192.168.1.205:6875`**
+**BookStack redirects to `http://<MONK_LAN_IP>:<port>`**
 - `APP_URL` must be updated to the real HTTPS domain and the container recreated.

 **OpenProject: OIDC provider not visible in login**
@ -246,7 +246,7 @@ docker restart kavita

 **Proxy services (Shaarli/Uptime Kuma) show Authentik login but then 502**
 - Verify the Embedded Outpost has the proxy providers assigned.
- Verify internal host is reachable: `docker exec authentik curl -v http://shaarli:80`
+- Verify internal host is reachable: `docker exec authentik curl -v http://shaarli:<port>`

 ---

@ -254,16 +254,16 @@ docker restart kavita

 | Subdomain | Container Name | Internal Port |
 |-----------|---------------|--------------|
-| auth.kitestacks.com | authentik | 9000 |
-| grafana.kitestacks.com | grafana | 3000 |
-| ai.kitestacks.com | kite-openwebui | 8080 |
-| gitforge.kitestacks.com | forgejo | 3000 |
+| auth.kitestacks.com | authentik | <port> |
+| grafana.kitestacks.com | grafana | <port> |
+| ai.kitestacks.com | kite-openwebui | <port> |
+| gitforge.kitestacks.com | forgejo | <port> |
 | tasks.kitestacks.com | openproject | 80 (after upgrade) |
-| kavita.kitestacks.com | kavita | 5000 |
-| links.kitestacks.com | shaarli | 80 |
-| status.kitestacks.com | uptime-kuma | 3001 |
-| llm.kitestacks.com | kite-litellm | 4000 |
-| www.kitestacks.com | homepage | 3000 |
+| kavita.kitestacks.com | kavita | <port> |
+| links.kitestacks.com | shaarli | <port> |
+| status.kitestacks.com | uptime-kuma | <port> |
+| llm.kitestacks.com | kite-litellm | <port> |
+| www.kitestacks.com | homepage | <port> |
 | portainer.kitestacks.com | portainer | 9000 (excluded) |
 | prometheus.kitestacks.com | prometheus | 9090 (excluded) |
 | node-exporter.kitestacks.com | node-exporter | 9100 (excluded) |
--- a/docs/disaster-recovery/RUNBOOK.md
+++ b/docs/disaster-recovery/RUNBOOK.md
@ -11,12 +11,12 @@ to stay up.

 Primary Production:
 - Host: monk
- LAN IP: 192.168.1.205
+- LAN IP: <MONK_LAN_IP>

 Cloud Failover (PERMANENT, active-active - NOT cold standby):
 - Host: kscloud1 (Hetzner VPS)
- Public IP: 5.78.233.28
- Tailscale IP: 100.123.254.52
+- Public IP: <KSCLOUD1_PUBLIC_IP>
+- Tailscale IP: <KSCLOUD1_TAILSCALE_IP>
 - Runs a full replica of all 9 services

 assassin (T14): retired/OFF, no longer part of the topology.
@ -24,7 +24,7 @@ assassin (T14): retired/OFF, no longer part of the topology.
 Domains:
 - www.kitestacks.com (+ ai, auth, gitforge, grafana, kavita, links, status, tasks)
 - www-backup.kitestacks.com / git-backup.kitestacks.com (kscloud1 direct
-  A-records via local Caddy on port 80, separate from the Tunnel)
+  A-records via local Caddy on port <port>, separate from the Tunnel)

 Cloudflare Tunnel:
 - 3 connectors load-balance ACTIVE-ACTIVE across all 9 *.kitestacks.com
@ -49,13 +49,13 @@ Forgejo:
  commits pushed to monk's Forgejo do NOT appear on kscloud1's Forgejo (and
  vice versa). Accepted tradeoff for uptime.
 - The portal's Recent Activity widget on BOTH hosts queries monk's Forgejo
-  directly (FORGEJO_API_BASE -> http://100.85.209.116:3006 over Tailscale
-  from kscloud1, http://localhost:3006 on monk) so it stays consistent
+  directly (FORGEJO_API_BASE -> http://<MONK_TAILSCALE_IP>:<port> over Tailscale
+  from kscloud1, http://localhost:<port> on monk) so it stays consistent
  regardless of which connector serves the page.

 Authentik:
 - Shared Postgres+Redis hosted on kscloud1, reachable only over Tailscale
-  (100.123.254.52). Both monk's and kscloud1's authentik+worker use this
+  (<KSCLOUD1_TAILSCALE_IP>). Both monk's and kscloud1's authentik+worker use this
  single database/cache - fixes invalid_grant SSO caused by active-active
  routing splitting an OAuth flow across connectors.